Biz & IT —

Securing the .edu top-level domain with DNSSEC

The .edu domain will soon support DNSSEC authentication to bring better …

DNS security continues its slow march to the root servers with today's announcement that the educational top-level domain ".edu" will roll out the DNSSEC protocol for testing this month, with a full deployment to follow by March 2010.

The domain name system (DNS) resolves Internet addresses like arstechnica.com into a numerical IP address—but the ancient DNS protocol provides little to no security. Hackers have figured out ways to poison the DNS cache, redirecting users who think they're visiting one site to another, quite different site. The insecurity of this fundamental piece of Internet architecture has been a boon for phishers and other miscreants, and the problems have been recognized for years.

DNSSEC removes the "blind trust" element of the current system by using public-key cryptography to authenticate DNS resolution. Despite its ten years of development, the protocol is only now gaining acceptance, in part due to the complexity of the implementation.

Now, the protocol is coming to ".edu" addresses. The ".edu" registry is managed by EDUCAUSE, which will let a few selected campuses demo the technology in a "nonproduction environment" this fall. Next year, all ".edu" institutions will be able to provide digital signatures for the project.

Diana Oblinger, president and CEO of EDUCAUSE, said today in a statement, "We are very pleased to be working with VeriSign and the U.S. Department of Commerce to add this important element of security to the Internet. Higher education is increasingly dependent on trustworthy and reliable digital communication for learning, research, and outreach. Adding DNSSEC to the .edu domain is a major step forward for our community and for the Internet. What we learn will be of value to other organizations around the world."

The major generic top-level domains are now all committed to the DNSSEC path, even if full deployment won't come for another year or two. But there's one layer of DNS servers above the top-level domains—the Internet's root servers—and the US government has announced its intention to upgrade them by the end of this year.

Once that happens, it will fall to the lower-level DNS servers and to individual websites to support the protocol; wide support means better security, while spotty support leaves gaps that can be exploited by man-in-the-middle attacks and other forms of mischief.